Monitoring Incoming IP Connections in Linux: Real-Time Analysis with netstat, ss, and tcpdump


2 views

When administering a Linux server, monitoring incoming connections is crucial for security and troubleshooting. Here are the most effective command-line tools:

# Basic connection overview
sudo netstat -tulnp

# Modern alternative to netstat
sudo ss -tulnp

# Real-time packet capture
sudo tcpdump -i eth0 -n

Let's examine the key columns from ss -tulnp output:

State      Recv-Q Send-Q Local Address:Port  Peer Address:Port
ESTAB      0      0      192.168.1.100:22    203.0.113.45:54234

Peer Address:Port shows the remote IP and source port making the connection to your server.

For real-time monitoring, combine these tools with watch:

# Refresh every 2 seconds
watch -n 2 "ss -tulnp"

# Filter for specific ports
watch -n 1 "netstat -anp | grep ':80'"

For deep packet inspection of incoming connections:

# Capture HTTP traffic
sudo tcpdump -i eth0 -n 'tcp port 80'

# Capture first 100 packets from specific IP
sudo tcpdump -i eth0 -n -c 100 'src host 192.0.2.1'

Create persistent logs of incoming connections:

# Log all new connections to file
while true; do
    date >> /var/log/connections.log
    ss -tn state established >> /var/log/connections.log
    sleep 5
done

When monitoring production servers:

  • Use sudo privileges minimally
  • Rotate log files to prevent disk filling
  • Consider using dedicated monitoring tools like fail2ban for automated blocking

When administering a Linux server, monitoring incoming connections is crucial for security and troubleshooting. Here are three powerful methods to view active connections:

The traditional netstat command provides comprehensive connection information:

netstat -tulnp

Breakdown of flags:

-t: Show TCP connections

-u: Show UDP connections

-l: Display listening ports

-n: Show numerical addresses

-p: Show process information

The ss tool (socket statistics) is faster than netstat and recommended for newer systems:

ss -tunap

Example output showing incoming SSH connection:

State    Recv-Q   Send-Q     Local Address:Port      Peer Address:Port   
ESTAB    0        0          192.168.1.100:22        203.0.113.45:54321

For deep inspection of incoming traffic:

sudo tcpdump -ni eth0 'dst host your_server_ip'

Filter specific ports (e.g., HTTP/HTTPS):

sudo tcpdump -ni eth0 'dst port 80 or dst port 443'

Combine with watch for real-time updates every 2 seconds:

watch -n 2 "ss -tunap | grep ESTAB"

Create a persistent connection logger:

#!/bin/bash
while true; do
    date >> /var/log/connections.log
    ss -tunap >> /var/log/connections.log
    sleep 5
done

Always monitor these common attack patterns:

- Multiple rapid connections from single IP

- Unusual port scanning activity

- Suspicious geographical locations